[horde] How to secure horde properly?

[Thomas Trepper]

Hi all, 

I have installed the latest version of horde webmail 5.2.19 via PEAR and the install/wiki suggests to install it in /var/www/<something> where /var/www is typically the document root. 
If I chown the directory now to allow www-data (apache) access I think it can be abused as well - can’t it?

What do I have to do to properly secure such a horde webmain installation please?

Thanks a lot in advance and all the best,

Thomas